SADA saved the Google Cloud Platform from what could have been a disaster.
Security experts at SADA said they had found a significant flaw in the Google Cloud Platform, which the tech giant has since fixed.
The “Asset Key Theft” flaw could have let bad people steal the secret keys for Google Cloud Service Accounts. SADA said that the flaw “would have given attackers a persistent and reliable way to abuse a Google Cloud environment.”
SADA told Google about the problem with its cloud hosting business through its Bug Hunters prize program. This is a safe way for researchers to let the tech giant know about flaws they find in its products.
API flaw
SADA thought the problem was significant because third-party cloud security tools, like Cloud Security Posture Management (CSPM) tools, use the same ability to get cloud inventory data from the API.
The bug was found in the Cloud Asset Inventory API, part of the Google Cloud Platform. It impacted all Google Cloud users who had enabled this API and had Cloudasset. Assets.searchAllResources permissions on the relevant Google Cloud environment.
Once SADA told Google about this, it made the mistake of making sure it was real before fixing the hole. SADA warns, though, that customers may have still been affected, and the threat may have stayed even after the patch.
“When it comes to security, we have to be constantly on guard to help our customers as they move their businesses to the cloud,” says Miles Ward, CTO of SADA. “No public cloud is safe from vulnerabilities, and when we find one, we all need to act quickly, work together openly, and communicate clearly.”
“We’re happy with how quickly and fully Google Cloud fixed this bug after we told them about it. We’re happy with how hard SADA’s engineers work to keep our users’ data safe.